User-manager default group roles
Joseph Reynolds
jrey at linux.ibm.com
Tue Nov 17 09:19:32 AEDT 2020
What is the right way to assign default phosphor-user-manager "group
roles" to dynamically created users?
Background: Currently, when a new local user is created via Redfish API
POST /redfish/v1/AccountService/Accounts you have to specify a Redfish
RoleId. BMCWeb maps the RoleId to a phosphor user manager "Privilege
Role" [1] and assigns ALL of the "group roles" to the new user [2]. Per
[3] this is not intended, and I need to fix this for my use case.
IMHO, the correct approach is for the project to define a mapping from
"role" to "privilege role" that can be used when dynamically creating a
new user. For example, the admin role maps to "ssh ipmi redfish web"
whereas the readonly role maps to "ipmi redfish web" (omits "ssh").
Then images can customize this as needed.
But where should this mapping be applied? Does it belong in BMCWeb or
in phosphor-user-manager [4]? Should we have another D-Bus property [5]
to give this mapping?
- Joseph
[1]:
https://github.com/openbmc/docs/blob/master/architecture/user-management.md
[2]:
https://github.com/openbmc/bmcweb/blob/929d4b57f10bc4200e16b71fbcf32521d8cc23c1/redfish-core/lib/account_service.hpp#L1435
[3]: https://github.com/openbmc/openbmc/issues/3643
[4]:
https://github.com/openbmc/phosphor-user-manager/blob/master/user_mgr.hpp
[5]:
https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/xyz/openbmc_project/User/Manager.interface.yaml
More information about the openbmc
mailing list